Bang for the buck : Penetration testing revisited

Healthcare providers over the last many years have armed themselves with better detection and reporting tools, and thereby, have seen a nearly 5% improvement in time taken to detect and a 5.5% improvement in time taken to contain, year over year.  Interestingly, over 47% of the healthcare providers surveyed claim to have tools in place that can detect a security breach in less than 24 hours.

Though, despite the better protection mechanism in place, nearly 76% of the healthcare providers surveyed by HIMSS cybersecurity, experienced a security incident in last 12 months.

Therefore, the question to ponder is even with improved and effective tools in place, the healthcare organizations in US have seen an increase in intrusion activities and with more intensity.

To understand this better, let us look at some of the security practices adopted by Healthcare providers, as per the 2018 HIMSS cybersecurity survey.


Over 76.3% of the Healthcare providers surveyed, conducted security risk assessment only once a year or longer. With dynamic nature of the cybersecurity landscape due to ever-expanding threat vectors and continuous increase in surface area of attack, it is not surprising that these security assessment operations end up being mostly reactive – post incident operation.

Further dissection of these security practices reveals that, new security measures adopted as per the risk assessment findings and recommendations, often fall short of their intended goals.  For example, 37.1% of Healthcare providers performed penetration once a year, while 11.8% did it once a month. Also, penetration testing coverage was very poor when it comes to medical devices since only 3.8% of the healthcare providers surveyed included medical devices as part of their penetration testing.

However, it is important to understand that for Healthcare providers, the service availability is critical and probably is as important as security, if not more.  This is because it is a matter of saving lives. Centralized penetration testing is an expensive, resource intense operation and therefore need to be scheduled in such a way that it has no or very low impact on service availability.  Hospitals with trauma centers and ER require continuous availability of devices and therefore it is not always feasible to schedule offensive security measures like penetration testing which are extremely invasive.

At Hmatix, we recommend the following gold standards for penetration testing to achieve maximum benefits:

1.       Decentralize the penetration testing: Centralized operations are not 100% effective as they may get blocked by routers, firewalls if not well-coordinated with different service departments and scheduled properly.

 2.     Perform the testing closest to the endpoint: When performed closest to endpoint, it uses minimal bandwidth as the operation is localized and therefore it is guaranteed to execute successfully and has no impact on the performance or service availability.

3.      It should not be service impacting:  It is important to have a security framework that can smartly schedule penetration testing taking into consideration localized operational status of the device.    

4.      Perform it daily: Performing pen testing daily, drastically reduces the vulnerability exposure window and thereby radically brings down the Mean time to identify (MTTI).

For more information on how Hmatix can provide 100% automated, plug and play cybersecurity solution that provides built-in, decentralized, least invasive penetration testing with intelligent scheduling for medical devices, please contact us at